Azure Powershell : Find the creator of a virtual machine

Question

I want to retrieve the creator of a virtual machine under Azure using azure rm powershell cmdlt or an api whitxh could return this type of information.

I used the "Get-AzureRmVM" command and the "GET https://management.azure.com/subscriptions/subscriptionId/resourceGroups/resourceGroupName/providers/Microsoft.Compute/virtualMachines/vmName?api-version=2018-06-01" api but both of them don't return information about the creator of the VM

Answer 1

You can use the Get-AzLog command to look for the caller value in the Azure Activity logs.

Examples can be found here:

https://learn.microsoft.com/en-us/azure/azure-resource-manager/resource-group-audit#powershell

You can also set up alerts in Azure Monitoring that can send you an email or text message everytime a VM is created.

https://learn.microsoft.com/en-us/azure/azure-monitor/platform/alerts-overview

Example

# Requires the AZ module be installed on your machine.  You can get this by running Install-Module 'AZ'

Connect-AzAccount # after calling this a browser window opens, allowing you to log into Azure through the UI under the relevant credentials; on successful login the token for this session is returned to your PowerShell session

# Sets your scope to the subscription you're interested in
Set-AzContext -Subscription 'myAzSubscription'

# Fetches (successful) events in the past 2 weeks
# Filters for those related to VM write events (which includes creating VMs, though sadly we can't just VM creations)
# groups by resource id (i.e. VM).
# Note: The Get-AzLog function can return a maximum of 100,000 events (and this count is based on the filters provided as parameters; filters applied to the results of the cmdlet won't impact this limit), so if things have been particularly busy some of the log may be truncated.  If that's a common issue for you, try narrowing the event's time window or restricting queries to specific resource groups.
$events = Get-AzLog -StartTime ((Get-Date).AddDays(-14)) -ResourceProvider 'Microsoft.Compute' -Status 'Succeeded' -MaxRecord 100000 | 
    Where-Object {$_.Authorization.Action -eq 'Microsoft.Compute/virtualMachines/write'} | 
    Group-Object -Property @{E={$_.Authorization.Scope}} 

# For each VM get the first event with a human caller (i.e. ignore system generated events) and return that caller's name.  Filter out events that didn't have a human caller as irrelevant
$events | 
    Select-Object Name, @{N='InitiatedBy'; E = {
        $_.Group | 
            Sort-Object SubmissionTimestamp | 
            Select-Object -ExpandProperty 'caller' | 
            Where-Object{$_ -like '*@*'} | 
            Select-Object -First 1
    } } | 
    Where-Object InitiatedBy | 
    Format-Table -AutoSize

Answer 2

This information is not exposed in Azure API (unfortunately). Your only option is to take a look at activity logs of the resource and find the very first write operation to the resource, unfortunately resources do not expose creation time either, so you cannot be sure you will find proper creator, because activity logs only go back 90 days.